The CSO of the future

What does the future hold for enterprise security? What will programs, roles, technologies and policies look like in five years or so?


What does the future hold for enterprise security? What will programs, roles, technologies and policies look like in five years or so?

Prognosticating can be tricky, especially in such a fast-changing digital environment. But part of the security executive's job is to not only keep up with the latest developments, but also to anticipate what might come next so companies can prepare to handle challenges. CSO interviewed security executives about the future and where they see their discipline headed. Here are some of the major trends they expect to see.

Changing role of the security officer

There will be a continued convergence of physical and cybersecurity, and this will affect the role of the security executive, says Roland Cloutier, CSO at ADP, a provider of human resources, payroll, tax and benefits administration services.

"The management [issues] of physical investigatory and cybersecurity functions are so interrelated that it just makes sense to have a single management function that has appropriate transparency and oversight," Cloutier says. "We will still have global metrics for all those [security] service areas and there will still be service silos," but they will all be managed under one department, he says.

"I believe that's where the [corporate security] world will be headed, and it's already in the nascent stages," Cloutier says. "This has been a topic for security executives in the last few years, but now we're seeing large organisations heading down that path."

Many companies will consolidate the CSO and CISO functions, Cloutier says. But that won't reduce the importance of either physical or cybersecurity, and the people in that role will need to be experts in all aspects of security.

Regardless of what title these individuals hold, the important factor is that all security and risk management will be under one roof. "We will not have competing security executives on either side of the house," Cloutier says. "You'll have one individual or entity that is required to make risk-based decisions for the organisation."

Future security leaders will be more technically inclined than they are today, Cloutier predicts. "We've spent a lot of time saying that security executives need to understand the business or have leadership skills," he says. "But I don't think you can [perform] this role in the future unless you have an incredible knowledge of technology."

At the same time, security chiefs will need to assert themselves as business leaders. "As the C-suite continues to recognise the importance of security, and that it must be an integral part of holistic business strategy, heads of security need to be more a part of the decision-making process for the business as a whole," says Richard Greenberg, information security officer at the Los Angeles County Department of Public Health.

And in addition to security, executives must become more proficient in data-privacy matters. "There will be more interaction between privacy and security," says Jason Taule, chief security and privacy officer at FEI Systems, a provider of information and analytics services for government entities dealing with behavioral and mental healthcare. Personal and professional information are getting harder to separate as more and more companies start using social media and big data. That blending will create tension that could lead to more legal actions, he says.

Companies will need to someone in the role of chief privacy officer, and this person should probably be the same as the top security officer, Taule says, because guarding privacy--whether it's that of employees or customers--is so closely linked to protecting data.

"I do think the security officer's job will become increasingly about privacy because we need to ensure the actions we take do not infringe on the rights of data owners, especially when the data in question has been entrusted to us for safekeeping," Taule says. "Privacy is just another question of risk. And the security officer's job is about managing different kinds of risks."

Next section: Changing roles within security departments

"Recommended For You"

Facebook and Twitter security risks aren't the responsibility of IT RSA Conference 2011 roundup: GRC in the cloud, mobile...